Skip to content

Commit 240c0a0

Browse files
authored
Merge pull request #39039 from github/repo-sync
Repo sync
2 parents 4d7dc1a + dc5346a commit 240c0a0

File tree

12 files changed

+282
-4
lines changed

12 files changed

+282
-4
lines changed

content/code-security/securing-your-organization/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ children:
1616
- /enabling-security-features-in-your-organization
1717
- /managing-the-security-of-your-organization
1818
- /understanding-your-organizations-exposure-to-leaked-secrets
19+
- /understanding-your-organizations-exposure-to-vulnerabilites
1920
- /fixing-security-alerts-at-scale
2021
- /troubleshooting-security-configurations
2122
---
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
---
2+
title: About your exposure to vulnerable dependencies
3+
shortTitle: Dependency vulnerability exposure
4+
intro: 'Understanding your organization’s exposure to vulnerable dependencies is essential for identifying and prioritizing security risks. Leveraging {% data variables.product.prodname_dependabot %} metrics on {% data variables.product.github %} enables you to efficiently assess, prioritize, and remediate vulnerabilities, reducing the likelihood of security breaches.'
5+
allowTitleToDifferFromFilename: true
6+
product: '{% data reusables.gated-features.ghas-billing %}'
7+
versions:
8+
feature: dependabot-metrics
9+
topics:
10+
- Code Security
11+
- Secret Protection
12+
- Organizations
13+
- Security
14+
---
15+
16+
## About exposure to vulnerable dependencies
17+
18+
Assessing your exposure to vulnerable dependencies is crucial if you want to prevent:
19+
20+
* **Supply chain compromise**. Attackers can exploit vulnerabilities in open source or third-party dependencies to inject malicious code, elevate privileges, or gain unauthorized access to your systems. Compromised dependencies can serve as indirect entry points for malicious actors, leading to wide-reaching security incidents.
21+
22+
* **Widespread propagation of risk**. Vulnerable dependencies are often reused across multiple applications and services, meaning a single flaw can propagate throughout your organization, compounding the risk and impact of exploitation.
23+
24+
* **Unplanned downtime and operational disruption**. Exploitation of dependency vulnerabilities can result in application outages, degraded service quality, or cascading failures in critical systems, disrupting your business operations.
25+
26+
* **Regulatory and licensing issues**. Many regulations and industry standards require organizations to proactively address known vulnerabilities in their software supply chain. Failing to remediate vulnerable dependencies can result in non-compliance, audits, legal penalties, or breaches of open source license obligations.
27+
28+
* **Increased remediation costs**. The longer vulnerable dependencies remain unaddressed, the more difficult and expensive they become to fix, especially if they are deeply integrated or if incidents occur. Early detection and remediation reduce the risk of costly incident response, emergency patching, and reputational harm.
29+
30+
Regularly assessing your exposure to dependency vulnerabilities is good practice to help identify risks early, implement effective remediation strategies, and maintain resilient, trustworthy software.
31+
32+
{% data variables.product.prodname_dependabot %} automatically monitors your project’s dependencies for vulnerabilities and outdated packages. When it detects a security issue or a new version, it creates pull requests to update the affected dependencies, helping you quickly address security risks and keep your software up to date. This reduces manual effort and helps ensure your project remains secure. See [AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide).
33+
34+
{% data variables.product.github %} provides a comprehensive set of {% data variables.product.prodname_dependabot %} metrics to help you monitor, prioritize, and remediate these risks across all repositories in your organization. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts).
35+
36+
## Key tasks for AppSec managers
37+
38+
### 1. Monitor vulnerability metrics
39+
40+
Use the metrics overview for {% data variables.product.prodname_dependabot %} to gain visibility into the current state of your organization's dependency vulnerabilities. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts).
41+
42+
* **Alert prioritization:** Review the number of open {% data variables.product.prodname_dependabot_alerts %} and use filters such as CVSS severity, EPSS exploit likelihood, patch availability, and whether a vulnerable dependency is actually used in deployed artifacts. {% data reusables.security-overview.dependabot-filters-link %}
43+
* **Repository-level breakdown:** Identify which repositories have the highest number of critical or exploitable vulnerabilities.
44+
* **Remediation tracking:** Track the number and percentage of alerts fixed over time to measure the effectiveness of your vulnerability management program.
45+
46+
### 2. Prioritize remediation efforts
47+
48+
Focus on vulnerabilities that present the highest risk to your organization.
49+
50+
* Prioritize alerts with high or critical severity, high EPSS scores, and available patches.
51+
* Use the repository breakdown to direct remediation efforts to the most at-risk projects.
52+
* Encourage development teams to address vulnerabilities that are actually used in deployed artifacts through repository custom properties.
53+
54+
### 3. Communicate risk and progress
55+
56+
* Use the {% data variables.product.prodname_dependabot %} metrics page to communicate key risk factors and remediation progress to stakeholders.
57+
* Provide regular updates on trends, such as the reduction in open critical vulnerabilities or improvements in remediation rates.
58+
* Highlight repositories or teams that require additional support or attention.
59+
60+
### 4. Establish and enforce policies
61+
62+
* Set organization-wide policies to require dependency review and {% data variables.product.prodname_dependabot_alerts %} on all repositories. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) and [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
63+
* Ensure that new repositories are automatically enrolled in dependency monitoring.
64+
* Work with repository administrators to enable automated security updates where possible. See [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
65+
66+
### 5. Assess the impact of {% data variables.product.prodname_dependabot_alerts %}
67+
68+
* Regularly review how {% data variables.product.prodname_dependabot_alerts %} are helping to block security vulnerabilities from entering your codebase.
69+
* Use historical data to demonstrate the value of proactive dependency management.
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
---
2+
title: 'Understanding your organization''s exposure to vulnerabilities'
3+
shortTitle: Exposure to vulnerabilities
4+
intro: 'Understanding your organization’s exposure to vulnerable dependencies is crucial for identifying and prioritizing security risks. This awareness allows you to prioritize remediation efforts, reduce the likelihood of security breaches, protect sensitive data, and maintain the overall integrity and reputation of the organization.'
5+
versions:
6+
feature: dependabot-metrics
7+
topics:
8+
- Code Security
9+
- Dependabot
10+
- Organizations
11+
- Security
12+
children:
13+
- /about-your-exposure-to-vulnerable-dependencies
14+
- /prioritizing-dependabot-alerts-using-metrics
15+
---
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
---
2+
title: Prioritizing Dependabot alerts using metrics
3+
shortTitle: Prioritize Dependabot alerts using metrics
4+
intro: 'You can prioritize {% data variables.product.prodname_dependabot_alerts %} in your organization by analyzing the provided metrics. Using this approach, you can tell your developers to focus on the most important vulnerabilities first.'
5+
allowTitleToDifferFromFilename: true
6+
permissions: '{% data reusables.permissions.security-org-enable %}'
7+
versions:
8+
feature: dependabot-metrics
9+
topics:
10+
- Code Security
11+
- Dependabot
12+
- Organizations
13+
- Security
14+
---
15+
16+
## Prioritizing {% data variables.product.prodname_dependabot_alerts %} using metrics
17+
18+
Application Security (AppSec) managers often face a flood of {% data variables.product.prodname_dependabot_alerts %}, making it challenging to determine which vulnerabilities to address first. {% data variables.product.prodname_dependabot %} metrics provide valuable insights that help prioritize alerts efficiently, ensuring that critical security issues are resolved promptly. Users can make informed decisions, focusing resources on the most impactful vulnerabilities. This approach strengthens the organization’s security posture and streamlines vulnerability management.
19+
20+
## Understanding {% data variables.product.prodname_dependabot %} metrics
21+
22+
{% data variables.product.prodname_dependabot %} metrics offer detailed information about vulnerabilities detected in your dependencies. Key metrics include:
23+
24+
* **Severity**: Indicates the potential impact of a vulnerability (e.g., low, medium, high, critical).
25+
* **Exploitability**: Assesses how easily a vulnerability can be exploited.
26+
* **Dependency relationship**: Differentiates between direct and transitive dependencies.
27+
* **Dependency scope**: Differentiates between runtime and development dependencies. Determines if the vulnerable code is actually used in your application.
28+
* **Alerts closed in the last 30 days, including the number of alerts fixed by {% data variables.product.prodname_dependabot %}, manually dismissed, and auto dismissed**: Tracks alert resolution progress. Illustrates how {% data variables.product.prodname_GH_code_security %} can help you detect vulnerabilities early.
29+
* **Table showing the total number of open alerts for each repository, as well as severity and expoitability data**: Allows you to dig deeper at the repository level.
30+
31+
Additionally, you can specify complex filters, which are combinations of the individual filters that are available. For more information about filters, see [{% data variables.product.prodname_dependabot %} dashboard view filters](/code-security/security-overview/filtering-alerts-in-security-overview#dependabot-dashboard-view-filters).
32+
33+
## Steps to prioritize alerts
34+
35+
These first steps help you identify the {% data variables.product.prodname_dependabot_alerts %} that put your organization the most at risk, so that you can tell your developers which alerts to focus on for remediation.
36+
37+
### 1. Tailor the funnel order to suit your organization's needs
38+
39+
You can customize the default funnel order on the "Alert prioritization" graph to ensure it reflects the unique risk profile, business priorities, and compliance requirements of your organization. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts#configuring-funnel-categories).
40+
41+
### 2. Focus on critical and high severity alerts
42+
43+
Start by identifying alerts with the highest severity by using the the `severity-critical` or `severity-high` filters. These vulnerabilities pose the greatest risk and are often prioritized by compliance standards. You can then
44+
45+
### 3. Assess exploitability and reachability
46+
47+
Prioritize vulnerabilities that are the most likely to be exploited in your codebase. To identify alerts that are most likely to be exploited, you can use the `epss_percentage` filter associated to a value (for example `epss_percentage>=0.10`).
48+
49+
### 4. Review dependency scope and relationship
50+
51+
Direct dependencies are typically easier to update and may have a greater impact on your application’s security. We recommend addressing these before transitive dependencies when possible.
52+
Filtering alerts using the `relationship:direct` filter allows us to see vulnerabilities on direct dependencies for supported ecosystems like npm.
53+
54+
Runtime dependencies are used by an application in production. Updating this sort of dependency can address security vulnerabilities, bug fixes, and performance improvements that affect your end users or systems directly. On the other hand, development dependencies are only used during development, testing, or build processes. While important, issues in these dependencies usually don’t impact your running application or its users.
55+
56+
You can use the `scope:runtime` or `scope:development` filters to only display alerts for runtime or development dependencies, respectively.
57+
58+
### 5. Consider the age of alerts
59+
60+
Older alerts may indicate long-standing risks. Regularly review and address aged alerts to prevent security debt from accumulating. For example, once you establish that a specific repository has more alerts that need prioritizing than other repositories, you can:
61+
1. Click the repository name on the per-repository table to display the alerts for that repository only.
62+
1. Use the "Older" filter in the **Sort** dropdown list, as well as other sorting criteria, to fine-tune the visualization to alerts meeting your criteria by age.
63+
64+
### 6. Leverage automation
65+
66+
Use {% data variables.product.prodname_dependabot %}’s automated pull requests to quickly remediate vulnerabilities. Integrate these updates into your CI/CD pipeline for faster resolution and improved efficiency.
67+
68+
## Best practices
69+
70+
* **Establish Service Level Agreements (SLAs)** for resolving vulnerabilities based on severity.
71+
* **Monitor metrics regularly** to identify trends and recurring issues.
72+
* **Collaborate with developers** to ensure timely updates and minimize disruption.
73+
* **Document decisions** to provide transparency and support future prioritization.

content/code-security/security-overview/filtering-alerts-in-security-overview.md

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ You can also filter the "Overview" view by properties of alerts.
162162

163163
{% endif %}
164164

165-
## {% data variables.product.prodname_dependabot %} alert view filters
165+
### {% data variables.product.prodname_dependabot %} alert view filters
166166

167167
You can filter the view to show {% data variables.product.prodname_dependabot_alerts %} that are ready to fix or where additional information about exposure is available. You can click any result to see full details of the alert.
168168

@@ -176,7 +176,19 @@ You can filter the view to show {% data variables.product.prodname_dependabot_al
176176
|`scope`|Display {% data variables.product.prodname_dependabot_alerts %} from the development dependency (`development`) or from the runtime dependency (`runtime`).|
177177
|`sort`| Groups {% data variables.product.prodname_dependabot_alerts %} by the manifest file path the alerts point to (`manifest-path`) or by the name of the package where the alert was detected (`package-name`). Alternatively, displays alerts from most important to least important, as determined by CVSS score, vulnerability impact, relevancy, and actionability (`most-important`), from newest to oldest (`newest`), from oldest to newest (`oldest`), or from most to least severe (`severity`).
178178

179-
## {% data variables.product.prodname_code_scanning_caps %} alert view filters
179+
{% ifversion dependabot-metrics %}
180+
181+
### {% data variables.product.prodname_dependabot %} dashboard filters
182+
183+
You can filter the "{% data variables.product.prodname_dependabot %} dashboard" view using these filters.
184+
185+
{% data reusables.security-overview.filter-dependabot-metrics %}
186+
187+
Alternatively, you can use complex filters by clicking **{% octicon "filter" aria-hidden="true" aria-label="filter" %} Filter** and build custom filters to suit your needs.
188+
189+
{% endif %}
190+
191+
### {% data variables.product.prodname_code_scanning_caps %} alert view filters
180192

181193
All {% data variables.product.prodname_code_scanning %} alerts have one of the categories shown below. You can click any result to see full details of the relevant query and the line of code that triggered the alert.
182194

content/code-security/security-overview/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ children:
2020
- /filtering-alerts-in-security-overview
2121
- /enabling-security-features-for-multiple-repositories
2222
- /exporting-data-from-security-overview
23+
- /viewing-metrics-for-dependabot-alerts
2324
- /viewing-metrics-for-secret-scanning-push-protection
2425
- /viewing-metrics-for-pull-request-alerts
2526
- /reviewing-requests-to-bypass-push-protection

0 commit comments

Comments
 (0)